Compare revisions

Christophe Maudoux · Christophe Maudoux · Yadd · Yadd · Yadd · Yadd
--- a/doc/sources/admin/authcas.rst
+++ b/doc/sources/admin/authcas.rst
@@ -108,7 +108,7 @@ For example, to preselect this server for users coming from 129.168.0.0/16 netwo

 ::

-   $ENV{REMOTE_ADDR} =~ /^192\.168/
+   $env->{REMOTE_ADDR} =~ /^192\.168/

 To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::


--- a/doc/sources/admin/authcombination.rst
+++ b/doc/sources/admin/authcombination.rst
@@ -274,12 +274,11 @@ configuration, else users will be authenticated by SSL only.
 Migrating from Multi
 --------------------

-Old :doc:`Multiple backends stack<authmulti>`
-implemented only \`if\` and \`or\` keywords. Examples:
-
-================================================================ =====================================================
-Multi expressions                                                Combination
-================================================================ =====================================================
-``LDAP;DBI``                                                     ``[myLDAP] or [myDBI]``
-``DBI $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/`` ``if $env->{REMOTE_ADDR} then [myDBI] else [myLDAP]``
-================================================================ =====================================================
+Old :doc:`Multiple backends stack<authmulti>` implemented only \`if\` and \`or\` keywords. Examples:
+
+======================================================================== =============================================================
+Multi expressions                                                        Combination
+======================================================================== =============================================================
+``LDAP;DBI``                                                             ``[myLDAP] or [myDBI]``
+``DBI $env->{REMOTE_ADDR} =~ /^192/;LDAP $env->{REMOTE_ADDR} !~ /^192/`` ``if $env->{REMOTE_ADDR} then [myDBI] else [myLDAP]``
+======================================================================== =============================================================
--- a/doc/sources/admin/customfunctions.rst
+++ b/doc/sources/admin/customfunctions.rst
@@ -95,5 +95,5 @@ for example:

 ::

-   function1( $uid, $ENV{REMOTE_ADDR} )
+   function1( $uid, $env->{REMOTE_ADDR} )

--- a/doc/sources/admin/extendedfunctions.rst
+++ b/doc/sources/admin/extendedfunctions.rst
@@ -375,9 +375,9 @@ Usage examples:

 ::

-   ipInSubnet($ENV{REMOTE_ADDR}, '127.0.0.0/8')
+   ipInSubnet($env->{REMOTE_ADDR}, '127.0.0.0/8')

-   ipInSubnet($ENV{REMOTE_ADDR}, '10.0.0.0/8', '192.168.0.0/16')
+   ipInSubnet($env->{REMOTE_ADDR}, '10.0.0.0/8', '192.168.0.0/16')

 The function returns 1 if provided IP is in one of the subnets, and 0 if
 it is not.

--- a/doc/sources/admin/selfmadeapplication.rst
+++ b/doc/sources/admin/selfmadeapplication.rst
@@ -31,7 +31,7 @@ Perl

 .. code-block:: perl

-   print "Connected user: ".$ENV{HTTP_AUTH_USER};
+   print "Connected user: " . $env->{HTTP_AUTH_USER};

 PHP
 ~~~

--- a/doc/sources/admin/ssoaas.rst
+++ b/doc/sources/admin/ssoaas.rst
@@ -259,7 +259,7 @@ Simple example:

   # Optionally ($fcgiResponse is the PSGI response of remote FCGI auth server)
   #sub on_reject {
-   #    my($self,$env,$fcgiResponse) = @_;
+   #    my($self, $env, $fcgiResponse) = @_;
   #    my $statusCode = $fcgiResponse->{status};
   #    ...
   #}

--- a/doc/sources/admin/upgrade_2_x.rst
+++ b/doc/sources/admin/upgrade_2_x.rst
@@ -278,7 +278,7 @@ In previous versions of LemonLDAP::NG, a 2FA protected account didn't need to us

 If you are *absolutely sure* that you want 2FA protected accounts to access AuthBasic handlers, which are password only, you can add the following test in your 2FA activation rules ::

-    and not $ENV{AuthBasic}
+    and not $env->{AuthBasic}


 2.0.16

--- a/doc/sources/admin/upgrade_templates.rst
+++ b/doc/sources/admin/upgrade_templates.rst
@@ -7,6 +7,7 @@ Template updates

    * You are using a custom LemonLDAP::NG theme
    * AND you modified some of LemonLDAP::NG's base templates (``login.tpl``, etc.).
+
    Note that templates whose name start with ``custom`` (``customfooter.tpl``, etc.) do NOT count.

    In other words, you can safely ignore this entire page if:
@@ -23,7 +24,7 @@ Floating category menu

 You can now display an applications category as a floating menu by setting a category name
 in ``General Parameters`` > ``Portal`` > ``Customization`` > ``Floating category name``.
-Apply the following patches to ``menu.tpl`` and ``script.tpl`` to use this new feature:
+Apply the following patches to ``menu.tpl``, ``footer.tpl`` and ``script.tpl`` to use this new feature:

 .. code-block:: diff


--- a/doc/sources/admin/writingrulesand_headers.rst
+++ b/doc/sources/admin/writingrulesand_headers.rst
@@ -19,8 +19,7 @@ Available $ENV variables

 The %ENV hash provides:

-  all headers in CGI format (``User-Agent`` becomes
-   ``HTTP_USER_AGENT``)
+-  all headers in CGI format (``User-Agent`` becomes ``HTTP_USER_AGENT``)
 -  some CGI variables depending on the context:

   -  For portal: all CGI standard variables (you can add custom
@@ -32,19 +31,21 @@ The %ENV hash provides:

 -  For Portal:

-   -  $ENV{urldc} : Origin URL before Handler redirection, in cleartext
-   -  $ENV{_url} : Origin URL before Handler redirection, base64 encoded
+   -  $env->{urldc} : Origin URL before Handler redirection, in cleartext
+   -  $env->{_url} : Origin URL before Handler redirection, base64 encoded

 See also :doc:`extended functions<extendedfunctions>`.

 .. tip::

-    You can use %ENV hash or $env hash ref. Both syntaxes are available
-    for compatibity. 
+    You can use %ENV hash or $env hash ref. Both syntaxes are available for compatibity. 

    ::

-       $ENV{REMOTE_ADDR} and $env->{REMOTE_ADDR} are similar.
+       $env->{REMOTE_ADDR} and $env->{REMOTE_ADDR} are similar.
+
+    %env and template variables can be dumped by setting ``logParams = 1``
+    in ``lemonldap-ng.ini`` file.

 .. _rules:

@@ -66,7 +67,7 @@ Restrict /admin/ directory to user bart.simpson
 Restrict /js/ and /css/ directory to authenticated users                                                                                        ^/(css|js)/        accept
 Deny access to /config/ directory                                                                                                               ^/config/          deny
 Do not restrict /public/                                                                                                                        ^/public/          skip
-Do not restrict /skip/ and restrict other to authenticated users                                                                                ^/skip/            $ENV{REQUEST_URI} =~ /skip/ ? skip : 1
+Do not restrict /skip/ and restrict other to authenticated users                                                                                ^/skip/            $env->{REQUEST_URI} =~ /skip/ ? skip : 1
 Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers)           ^/forum/           unprotect
 Restrict access to the whole site to users that have the LDAP description field set to "LDAP administrator" (must be set in exported variables) default
 =============================================================================================================================================== ================== ======================================

--- a/lemonldap-ng-common/lemonldap-ng.ini
+++ b/lemonldap-ng-common/lemonldap-ng.ini
@@ -40,8 +40,9 @@ useSafeJail = 1
 ; 1 - Defined logging level
 ;   Set here one of error, warn, notice, info or debug
 logLevel     = notice
-; Note that this has no effect for Apache2 logging: Apache LogLevel is used
-; instead
+; Note that this has no effect for Apache2 logging: Apache LogLevel is used instead
+;   Uncomment this to dump $req and $env variables. Require logLevel = debug
+;logParams = 1
 ;
 ; 2 - Change logger
 ;

--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
@@ -118,8 +118,8 @@ sub defaultValues {
        'handlerInternalCache'          => 15,
        'handlerServiceTokenTTL'        => 30,
        'hiddenAttributes'              => '_password _2fDevices',
-        'hideOldPassword'               => 1,
-        'httpOnly'                      => 1,
+        'hideOldPassword'               =>  1,
+        'httpOnly'                      =>  1,
        'https'                         => -1,
        'impersonationHiddenAttributes' => '_2fDevices, _loginHistory',
        'impersonationIdRule'           => 1,

--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@@ -178,6 +178,7 @@ sub tree {
                                {
                                    title => 'dbiConnection',
                                    help  => 'authdbi.html#connection',
+                                    form  => 'simpleInputContainer',
                                    nodes => [
                                        'dbiAuthChain', 'dbiAuthUser',
                                        'dbiAuthPassword'

--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@@ -575,6 +575,7 @@ t/01-Cookie-Domain.t
 t/01-CSP-and-CORS-headers.t
 t/01-Custom2fa.t
 t/01-CustomMenu.pm
+t/01-disabledPlugins.t
 t/01-downloadSamlMetadata.t
 t/01-Dynamic-Portal-Url.t
 t/01-EnablePasswordDisplay.t
@@ -602,6 +603,7 @@ t/04-language-selection.t
 t/05-Hashed-Session.t
 t/06-portal-maintainance.t
 t/10-AuthCustom.t
+t/11-MessageBroker-Logout.t
 t/11-MessageBroker-MQTT.t
 t/11-MessageBroker-Pg.t
 t/11-MessageBroker-Redis.t
@@ -735,6 +737,7 @@ t/32-OIDC-JWE.t
 t/32-OIDC-JWS-client_secret_jwt.t
 t/32-OIDC-JWS-private_key_jwt.t
 t/32-OIDC-JWT-type-header.t
+t/32-OIDC-login_hint.t
 t/32-OIDC-Logout-from-RP-bypass-confirm.t
 t/32-OIDC-Logout-redirect-uri-not-allowed.t
 t/32-OIDC-Macro.t

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
@@ -246,6 +246,8 @@ sub loadRPs {

 sub ssoMatch {
    my ( $self, $req ) = @_;
+    my $lh = $req->param('login_hint');
+    $req->data->{suggestedLogin} ||= $lh if $lh;
    return ( $req->uri =~ $self->ssoMatchUrl ? 1 : 0 );
 }

@@ -1795,7 +1797,7 @@ sub _handleAuthorizationCodeGrant {
    # Generate refresh_token
    my $refresh_token = undef;

-    my $sid;
+    my $sid = $self->getSidFromSession($rp, $apacheSession->data);

    # For offline access, the refresh token isn't tied to the session ID
    if ( $codeSession->{data}->{offline} ) {
@@ -1822,6 +1824,7 @@ sub _handleAuthorizationCodeGrant {
                  $apacheSession->data->{ $self->conf->{whatToTrace} },
                auth_time  => $apacheSession->data->{_lastAuthnUTime},
                grant_type => "authorizationcode",
+                _oidc_sid  => $sid,
            },
            1,
        );
@@ -1835,9 +1838,6 @@ sub _handleAuthorizationCodeGrant {
        $refresh_token = $refreshTokenSession->id;

        $self->logger->debug("Generated offline refresh token: $refresh_token");
-
-        $sid = $self->getSidFromSession( $rp,
-            { _session_id => $refreshTokenSession->id } );
    }

    # For online access, if configured
@@ -1854,6 +1854,7 @@ sub _handleAuthorizationCodeGrant {
                  $apacheSession->data->{ $self->conf->{whatToTrace} },
                user_session_id => $codeSession->data->{user_session_id},
                grant_type      => "authorizationcode",
+                _oidc_sid  => $sid,
            },
            0,
        );
@@ -1885,7 +1886,6 @@ sub _handleAuthorizationCodeGrant {
            ( $nonce   ? ( nonce   => $nonce )   : () ),
            ( $at_hash ? ( at_hash => $at_hash ) : () ),
        },
-        $sid,
    );

    unless ($id_token) {

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@@ -429,6 +429,7 @@ sub buildAuthorizationCodeAuthnRequest {
    my $max_age       = $self->opOptions->{$op}->{oidcOPMetaDataOptionsMaxAge};
    my $ui_locales = $self->opOptions->{$op}->{oidcOPMetaDataOptionsUiLocales};
    my $acr_values = $self->opOptions->{$op}->{oidcOPMetaDataOptionsAcrValues};
+    my $login_hint = $req->data->{suggestedLogin};

    my $authorize_request_oauth2_params = {
        response_type => $response_type,
@@ -437,6 +438,7 @@ sub buildAuthorizationCodeAuthnRequest {
        redirect_uri  => $redirect_uri,
        ( defined $state ? ( state => $state ) : () ),
        ( defined $nonce ? ( nonce => $nonce ) : () ),
+        ( defined $login_hint ? ( login_hint => $login_hint) : () ),
    };
    my $authorize_request_params = {
        %$authorize_request_oauth2_params,
@@ -1860,12 +1862,12 @@ sub getEndPointAuthenticationCredentials {
    my ( $client_id, $client_secret, $scheme );

    my $authorization = $req->authorization;
-    if ( $authorization and $authorization =~ /^Basic (\w+)/i ) {
+    if ( $authorization and $authorization =~ m#^Basic ([[:alnum:]+/=]+)#i ) {
        $scheme = 'client_secret_basic';
        $self->logger->debug("Method client_secret_basic used");
        eval {
            ( $client_id, $client_secret ) =
-              split( /:/, decode_base64($1) );
+              split( ':', decode_base64($1), 2 );
        };
        $self->logger->error("Bad authentication header: $@") if ($@);

@@ -2738,7 +2740,8 @@ sub generateNonce {

 sub getSidFromSession {
    my ( $self, $rp, $sessionInfo ) = @_;
-    return Digest::SHA::hmac_sha256_base64(
+    return $sessionInfo->{_oidc_sid}
+      || Digest::SHA::hmac_sha256_base64(
        $sessionInfo->{_session_id} . ':' . $rp );
 }


--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@@ -195,6 +195,7 @@ sub display {
            ASK_STAYCONNECTED => $req->param('stayconnected') || 0,
            CONFIRMKEY        => $self->stamp(),
            LIST              => $req->data->{list} || [],
+            LOGIN_HINT        => $req->data->{suggestedLogin},
            (
                $req->data->{customScript}
                ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
@@ -412,7 +413,7 @@ sub display {
    # 3 Authentication has been refused OR first access
    else {
        $skinfile = 'login';
-        my $login = $req->user;
+        my $login = $req->user || $req->data->{suggestedLogin};
        %templateParams = (
            $self->getErrorTplParams($req),
            AUTH_URL              => $req->{data}->{_url},

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
@@ -8,7 +8,7 @@
 #                  of lemonldap-ng.ini) and underlying handler configuration
 package Lemonldap::NG::Portal::Main::Init;

-our $VERSION = '2.20.0';
+our $VERSION = '2.21.0';

 package Lemonldap::NG::Portal::Main;

@@ -170,6 +170,15 @@ sub init {
    # Insert `reloadConf` in handler reload stack
    Lemonldap::NG::Handler::Main->onReload( $self, 'reloadConf' );

+    # Register logout event (unlog event is only a local unlog: clean cache)
+    &Lemonldap::NG::Handler::Main::MsgActions::addMsgAction(
+        'logout',
+        sub {
+            my ( $class, $id, $req ) = @_;
+            return $self->eventLogout( $req, $id );
+        }
+    );
+
    # Handler::PSGI::Try initialization
    unless ( $self->SUPER::init( $self->localConfig ) ) {
        $self->logger->error( 'Initialization failed: ' . $self->error );
@@ -473,12 +482,11 @@ sub reloadConf {

    # Set asset tag from version and optional salt
    my $cacheTagSalt = $self->conf->{cacheTagSalt} // "";
-    my $key = $self->conf->{key} // "";
-    my $digest         = substr(
+    my $key          = $self->conf->{key}          // "";
+    my $digest       = substr(
        MIME::Base64::encode_base64url(
            Digest::SHA::hmac_sha256(
-                $Lemonldap::NG::Portal::VERSION . $cacheTagSalt,
-                $key
+                $Lemonldap::NG::Portal::VERSION . $cacheTagSalt, $key
            )
        ),
        0, 8
@@ -714,20 +722,25 @@ sub displayError {
 # returns undef if the rule syntax was invalid
 sub buildRule {
    my ( $self, $rule, $ruleDesc ) = @_;
-    if ($ruleDesc) {
-        $ruleDesc = " $ruleDesc ";
-    }
-    else {
-        $ruleDesc = " ";
-    }
+    $ruleDesc ||= '';
    my $compiledRule =
      $self->HANDLER->buildSub( $self->HANDLER->substitute($rule) );
    unless ($compiledRule) {
        my $error =
          $self->HANDLER->tsv->{jail}->error || 'Unable to compile rule';
-        $self->logger->error( "Bad" . $ruleDesc . "rule: " . $error );
+        $self->logger->error("Bad $ruleDesc rule: $error");
+        return undef;
+    }
+
+    # Avoid deep recursion
+    my $overLoadedRule = $compiledRule;
+    if ( $self->conf->{logParams} ) {
+        $overLoadedRule = sub {
+            $self->_dump($_[0]);
+            return $compiledRule->(@_);
+        };
    }
-    return $compiledRule,;
+    return $overLoadedRule;
 }

 sub addPasswordPolicyDisplay {

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
@@ -249,6 +249,30 @@ sub checkUnauthLogout {
    return PE_OK;
 }

+sub eventLogout {
+    my ( $self, $req, $msg ) = @_;
+    bless $req, 'Lemonldap::NG::Portal::Main::Request';
+    $self->logger->debug("Receive a logout event");
+    $self->processHook( $req, 'eventLogout', $msg );
+    if ( $msg->{id} ) {
+        $self->logger->debug(" -> logout asked for $msg->{id}");
+        if ( my $session = HANDLER->retrieveSession( $req, $msg->{id} ) ) {
+            $req->id( $session->{_session_id} );
+            $req->pdata( {} );
+            $self->do( $req,
+                [ @{ $self->beforeLogout }, 'authLogout', 'deleteSession' ],
+                1 );
+        }
+        else {
+            $self->_unauthLogout($req);
+        }
+    }
+    else {
+        $self->logger->debug('Logout event without id');
+        $self->_unauthLogout($req);
+    }
+}
+
 sub checkCancel {
    my ( $self, $req ) = @_;
    if ( $req->param('cancel') ) {

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@@ -328,6 +328,7 @@ sub unauthLogout {

 sub _unauthLogout {
    my ( $self, $req ) = @_;
+    $self->processHook( $req, 'unAuthLogout' );
    $self->logger->debug('Unauthenticated logout request');
    $self->logger->debug('Cleaning pdata');
    $self->logger->debug("Removing $self->{conf}->{cookieName} cookie");
@@ -1062,6 +1063,10 @@ sub getTrOver {

 sub sendHtml {
    my ( $self, $req, $template, %args ) = @_;
+    if ( $self->conf->{logParams} ) {
+        $self->_dump($req);
+        $self->_dump( \%args );
+    }

    my $skin_template_dir = $self->getSkinTplDir( $self->getSkin($req) );
No results found